Myth 4: "I don't take enough credit cards..."

If a company takes credit cards at all, in any volume, it is required to be PCI compliant. While validation, which is determined by the number of credit cards, might be different, compliance is a constant for any company that takes credit cards as payment.

"…to need to be compliant." I have heard this statement from many clients. This is a common and broad misunderstanding of the requirements. While there are various levels of credit card merchant and service providers, there is no difference in compliance requirements. The fundamental confusion is between compliance and validation. PCI requires that any entity that stores, processes or transmits any credit card data to be in compliance with the PCI Data Security Standard. The amount of validation is the real differentiator.

Additionally, PCI assumes that each covered entity is always fully in compliance with PCI. I hear customers say that they must be compliant by such and such a date. That is wrong. What they need to understand is that they are assumed to be compliant right now, and there may be a date that they have to be validated as compliant. The fundamental difference between Level 1 and Level 4 PCI requirements is only regarding the amount of third-party validation that must be done to meet the certification process.

Any entity that takes credit cards takes enough credit cards to need to be compliant with PCI. The number of credit card transactions determines the level of validation, not compliance.

About the author John Kindervag is a 20-year veteran of the high-technology world. He is the senior security architect for Vigilar Inc., where he helps corporations design secure networks and manages Vigilar's Vulnerability Assessment and Compliance Practice. Kindervag holds a Bachelor of Arts degree in Communications from the University of Iowa.

E-Handbook

E-Handbook

0 comments

E-Mail

Username / Password

Password

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy